2

How do hackers hide their malware on Windows, to startup and be impossible to find and delete?

The results I found that a hacker can use to hide his malware: (found here)

Windows: Setting hidden attribute.

But I find these results too simple and could easily be discovered if the user changes settings. On Windows to start something up when the computer starts up, it needs to either be placed in Startup Folder or started as a Service.

So these can all be detected if the user has correct settings in place, and checks his services.

How does a good hacker hide a program on a computer to start up without ever being detected? Please give me examples.

And after that

I have a theory that if one makes his program to always start itself just before it's killed, then it can never be deleted while on the normal Windows interface. Please tell if I'm going banana's or this can be achieved.

schroeder
  • 125,553
  • 55
  • 289
  • 326
user3818650
  • 305
  • 1
  • 4
  • 12
  • 2
    A really good hacker modifies the bootloader (the program that starts Windows when you turn the computer on). This would bypass all AV programs, because it would start before the OS and everything else. Microsoft knows this, though, which is one of the (Stated) reasons for UEFI and other secure BIOS bootloaders. Hackers have responded by pushing malware down into hardware. Otherwise... you don't have to register yourself as a service, just co-opt somebody else (by, say, modifying some other service to start you up). Most of the easy stuff is well understood and defended against, now. – Clockwork-Muse Apr 12 '15 at 12:45
  • @Clockwork-Muse So how do we hackers modify the bootloader, or push a program into hardware? Are these difficult? – user3818650 Apr 12 '15 at 12:52
  • 2
    Well, first you have to get to it. You could always install something while physically present. Otherwise, you have to do it remotely, which means you either need to 1) attack the hardware of the machine (ie, perhaps the network card doesn't properly sanitize all input), or 2) Write regular malware to modify the bootloader/etc. note: if you can get this to run **at all**, you can probably do whatever you want without going that far. Getting lower is about _staying_ undetected (and opening up more possibilities). – Clockwork-Muse Apr 12 '15 at 13:08
  • @Clockwork-Muse Where could I read more? – user3818650 Apr 12 '15 at 13:09
  • 1
    ...You could check Amazon. Why do you want to know, exactly? If you're wanting to defend against this kind of thing, your best options are generally: 1) Don't use an admin account (and be careful with UAC-type prompts), 2) Be careful where you go on the internet, 3) Keep your OS up-to-date, and 4) don't plug unknown USB drives into your machine. Generally, the basic protections of an up-to-date OS will do an adequate job of protecting you, so long as no overly facepalm-worthy actions are taken. Anything capable of bypassing them is likely getting in anyways... – Clockwork-Muse Apr 12 '15 at 13:25

2 Answers2

6

There are many ways to do this. The term you are looking for is "rootkit" - that should send you down a rich road of research.

As for specifics, the attacker could replace a core Windows program with an infected one so it always gets loaded when Windows starts up normally. Or, the attacker could infect the BIOS. These two methods are impossible for a normal user to detect or to change once infected, which is why strong Anti-malware tries to detect and prevent these things.

A very cool alternative (more theory than actual) was to convert the existing operating system into a virtual machine and install a malicious hypervisor over top. In this way, there would be no change at all to the operating system, and the hypervisor could fiddle with the operation of the machine as it ran. In this case, even the perfect anti-malware program would be helpless.

schroeder
  • 125,553
  • 55
  • 289
  • 326
3

Another things are crypters. Crypters are a software just like obfuscators that take in a malware and encrypts its data so that it becomes undetectable by any anti-malware programs. This crypters uses special encryption algorithm and a method to inject the malware directly into a already running program like explorer.exe without even touching the hard drive. These crypters are updated on daily basis analogous to anti-malware programs to stay undetectable. These amounts to more than 50% of stupid malwares/Trojans/keyloggers.

skdhfgeq2134
  • 151
  • 2